evaluation methods of aircraft flight safety
TRANSCRIPT
1
Abstract
The paper includes a method of probability and
risk evaluation of technical damage to
functional-relief (redundant) systems using the
Poisson model. The paper raised the problem of
diagnosis errors and erroneous usability
evaluation and describes the example of a real
event of an aircraft landing without the released
landing gear as a consequence of an erroneous
diagnostics. The rescue process in a situation of
an aviation accident hazard was described
briefly.
1. Introduction
By assumption, the aeronautics has high
reliability requirements, which, in practice, are
implemented through special inspection
procedures and appropriate design solutions
involving introduction of excesses of structure,
strength, power, information, etc. The structural
excess is characterised by elements or
functional systems, basic and reserve-protective
ones. After the damage to the basic system,
protective systems join to functioning. This
ensures a high level of aircraft flights safety,
which is one of the most important issues in the
air transport. Despite these protections and great
efforts of technical services, failures causing
accidents happen. The protecting systems
constituting the reserve of basic systems
significantly increase the production costs and
reduce the overall performances, such as
capacity, range, fuel consumption, etc. They
also require special treatment in the operation of
aircrafts, so that they have very high probability
of correct functioning at the very low
probability of use. The accuracy of continuous
or periodic identification of a usability state is
an important issue. The person stating the
usability state of basic and reserve technical
systems can make two types of errors:
– an error of the first type consists of
qualifying the usable device as unsuitable;
– an error of the second type consists of
qualifying the unsuitable device as usable.
The result of the erroneous qualification of
the system activating the emergency release of
the landing gear was the emergency landing of
the PLL LOT plane, Boeing 767-300ER, on
November 1, 2011, at the Warsaw Frederic
Chopin Airport.
2. Estimating the probability of damages to
the aircraft systems
Quantitative description and probability
evaluation of the damage to the basic and
protective systems of the aircraft can be
executed according to the postulates of the
Poisson point process.
Assuming that:
- the probability of damage is directly
proportional to the length of the concerned
time period and the number of operated
aircrafts;
- the proportionality factor identifying the risk
of damage is constant;
The following system of equations is legit:
))(()()( ttNtPttP 100
ttNtPttNtPttP )()())(1()()( 011
(1)
ttNtPttNtPttP nnn )()())(()()( 11
for n > 0
where:
EVALUATION METHODS OF AIRCRAFT FLIGHT SAFETY
Jan Rajchel*, Józef Żurek**, Ryszard Kaleta**
* Polish Air Force Academy, ** Air Force Institute of Technology
Keywords: reliability, safety, redundancy
JAN RAJCHEL, JÓZEF ŻUREK, RYSZARD KALETA
2
),(0 tttP - probability of non-occurrence of
damages to basic and protective systems in the
time interval of t ;
),( tttPi (i = 1, ... n) - probability of the
occurrence of the “i” number of damages
in the time interval of t ;
)(tN - number of operated aircrafts, in which a
considered damage may occur;
- proportionality factor that represents the
damage risk;
t - adopted time interval of aircrafts operation
(or the aircraft’s flying time length).
By dividing the equations (1) by t and going
to the boundary with 0t , we obtain the
following system of equations:
)()(' tPtNP 00
)()()()( 01
'
1 tPtNtPtNP (2)
)()()()(' tPtNtPtNP nnn 1
For the system of equations (2), the initial
conditions are as follows:
100 )(P
(3)
0)0( nP for n > 0
The equations (2) are linear differential
equations and they are solved recursively. First,
we find )(tP0 . While knowing )(tP0 , we then
set )(1 tP and so on.
The solution of the system of equations (3) takes the form of:
dttN
t
etP)(
)(
00
(4)
dtLNt
edttN
ntP
nt
n
)(0
0
)(!
1)(
The probability that in the time interval (0, t)
occurs n of damages requiring launch of
protection systems is described with the Poisson
distribution, whereas the role of the expression
“ t ” is replaced with the following value
dttNt
)(0
due to the low incidence of this
damage type in the process of aircraft operation.
The integral dttNt
)(0
can be replaced with the
following sum:
i
N
i
t
tdttN 10
)( (5)
where:
N – number of aircrafts operated at the
considered time;
it – flying time of the aircraft operated
at the considered time;
For a single aircraft, the probability of
damages during the considered t flying time will
be:
teq 11 (6)
where:
q
1 – the probability of damage in one
aircraft;
t – flying time of an aircraft.
Since the risk of the damage to both
systems (basic and protective) that causes the
failure is low, the expression te can be
expanded into a power series.
Hence:
te t 1 (7)
3
EVALUATION METHODS OF AIRCRAFT FLIGHT SAFETY
By substituting (7) to (6), we obtain:
q
2 t (8)
One can estimate the probability of failure
in a single aircraft with the dependency (8).
The probability of correct aircraft
functioning is expressed by the dependency:
tP ̂11 (9)
In order to estimate the average number of
failures during a given period for the operated
aircraft park, the following dependency can be
used:
i
N
i
n
n
ttPnnE
11
ˆ)( (10)
where:
ti - flying time during a given period of
the i-th aircraft
N - number of the operated aircrafts.
We are often interested in not only the
probability of occurrence of n damages for a
given flying time, but also in the value of the
factor characterising the intensity (risk) of
damage occurrence. In order to set the
parameter estimator, we apply the maximum
likelihood method. Suppose that we have
observed and recorded the formation of the
damages in several separate time intervals,
when the aircrafts’ flying time was: t1, t2, ..., ti.
As a result of the observations, the following
was obtained:
- in the interval (0, t1), n1 damages
occurred;
- in the interval (t1, t2), n2 damages
occurred;
- in the interval (ti-1, ti), ni damages
occurred;
The probability of formation of the said
number of damages, i.e. n1+ n2+...+ni, during
operation at the intensity of their formation
equal to is expressed by the dependency:
122
11
2
21 T
i
niT
nT
i
n
en
Te
n
Te
n
TL
i
!
)(
!
)(
!
)(
)...(...
!...!!
...i
iiTTT
i
ni
nnnnn
ennn
TTT
21
2121
21
21
(11)
where:
1 iii ttT
The probability written above, considered
as a function of the variable at the defined
ii TTTnnn ,...,,...,, , 2121 , is called the
likelihood. We now find that value of for
which the likelihood L takes the greatest value.
For this purpose, we logarithm the dependence
(11) and calculate the derivative in relation to ,
which we equate to zero. By solving the
obtained equation in this manner, we find the
dependence for .
Hence:
i
i
TTT
nnn
...
...ˆ
21
21 (12)
With the help of the dependency (12), we
determine the estimator of the ratio with the
maximum likelihood method.
Hence the dependency (11) takes the
form:
tq ̂ˆ (13)
where:
t – the aircraft’s flying time within the year.
The dependence (13) makes it possible to
estimate the probability of damages in a single
aircraft during a given time interval.
3. Analysis of errors of diagnosis and to
stating the usability state of technical systems
The aeronautics is characterised by
specified ergonomic properties and a certain
reliability. The reliability of diagnostic
equipment and ergonomics of technical systems
affect the errors committed by the operator. A
person equipped with diagnostic equipment can
make two types of errors, whose measurements
are the occurrence probabilities marked with
symbols and .
– means an error of the first type; it
consists of qualifying the qualifying the usable
device as unsuitable; the Institute of
Mechanised Construction and Rock Mining
JAN RAJCHEL, JÓZEF ŻUREK, RYSZARD KALETA
4
– means an error of the second type; it
consists of qualifying the unsuitable device as
usable.
Making the error of the first type in the
identification of an aircraft’s usability may
cause losses through an unplanned downtime
and a repeated inspection. In the case of making
the error of the second type, more dangerous
consequences with the possibility of an aviation
accident are often caused;
Three factors determining identification
errors can be mentioned:
– monitoring susceptibility of a facility – it
shows the extent, to which the object is
adapted to the inspection and the
inspection procedures identify the actual
situation as well as what is the
percentage of not inspected features;
– technical equipment of the operator
inspecting the state of the facility and
procedures of results interpretation;
– predispositions of the operator, his or her
qualifications, personal characteristics;
– circumstances of the inspection, climatic
conditions, time stress, information
stress, etc.
As it results from the above
considerations, the identification error is a
parameter of systemic nature. The facility
designer, the designer of diagnostic equipment,
the operator equipped with diagnostic
equipment of a sufficient quality, and the
training of the operator conducting
identification are responsible for the error of the
facility condition identification. Despite the fact
that the identification error depends on many
factors, it is the person conducting the
identification who is legally and morally
responsible for the effects resulting from the
identification error. Removal of responsibility
from the operator follows the specified tests
conducted by the specially appointed expert
teams. These teams often include also experts
from scientific and research institutions. These
teams determine the causes of the erroneous
qualifying of the facility condition. This results
in a stressful situation for the operator, who
does not always understand the essence of
various sources of misidentification, blaming
himself or herself for adverse events. The
problem of errors of the first and second type
during the identification of the usability state
has a legal-moral, economical and technical
aspect.
The source of the error is sometimes
unreliability of diagnosing units equipped with
the necessary equipment and procedures of
stating the usability state. With regard to the
facility, on which the condition is identified, it
can be said that there are the following events
on it:
01A - An event involving the facility’s
being in the state of usability and its keeping
this state during the identification. The
probability of such an event is marked with
01P .
A02 - An event involving the occurrence of
a damage detected during the identification in
the facility until or during the identification. The
probability of such an event is 02q .
A03- An event involving the occurrence of
a damage not detected during the identification
in the facility until or during the identification.
The probability of such an event is marked with
03q .
These probabilities meet the condition:
1030201 qqP (14)
The diagnosis process may include the
following events:
A11 - An event involving the correctly
conducted diagnosis and the flawless statement
on the facility state. The probability of such an
event is P11.
A12 - An event involving the facility
declared unsuitable regardless of its state. The
probability of such an event is q12 .
A13 - An event involving the facility
declared usable regardless of its state. The
probability of such an event is. The probability
of such an event is 13q .
14A - An event involving the facility
declared unsuitable, whereas in fact it is usable,
and the facility declared usable, whereas in fact
5
EVALUATION METHODS OF AIRCRAFT FLIGHT SAFETY
it is unsuitable. The probability of such an event
is marked with 14q .
These probabilities meet the condition:
114131211 qqqP (15)
The probability of an event that the facility
declared unsuitable is in fact usable, i.e. making
the error of the first type, is given with the
formula:
1
1
01
02 11 14
11 13
P
q P q
P q
(16)
The probability of an event involving the
facility declared usable, whereas it is in fact
unsuitable, i.e. making the error of the second
type is given with the formula:
1412
14110201
01
1
1
11
qPqP
P
(17)
The influence of possible events is the
process of diagnosis on the values of the errors
of the first and second type results from the
cited formulas.
4. Shaping of the errors of the first and
second type by teaching the operator method
Fig. 1 shows the course of function m of
reducing the error of the first type as a result of
a m-fold repetition of actions performed by the
operator or diagnosing team for different values
of an experimentally determined factor C .
These errors in the function of the
number m of tests are given with formulas:
11
m
m C (18)
mm
C
11
(19)
The intensity of learning has a significant
impact on the reduction of the errors of the first
and second type. As a result of the training, the
operator learns using the controls, reading
instrument indications and interpretation of
symptoms of the facility's usability and
unsuitability. For the purposes of teaching the
operator, the specific states are modelled. As a
result of conducted research and analyses,
coefficients C C , characterising the
quantitative progress of the training and the
intensity of the error of the first and second
type’s reduction are determined.
0,00
0,02
0,04
0,06
0,08
0,10
0 2 4 6 8 10 12
C1 C2 C3
m
Fig. 1. Course of function m for different values of C for 0 1, .
.1C ;4,0C ;1,0C
JAN RAJCHEL, JÓZEF ŻUREK, RYSZARD KALETA
6
5. Example result of an erroneous diagnosing
The fact of some error in diagnosis can be stated
on the example of the above-mentioned
emergency landing of the PLL LOT plane,
Boeing 767-300ER, on November 1, 2011, at
the Warsaw Frederic Chopin Airport. We would
remind that the Boeing 767-300 of the Polish
airlines LOT departed from the Newark airport
(USA) after midnight on November 1, 2011.
After c. 30 minutes after the departure from
Newark, the crew of the Polish plane signaled a
failure of the central hydraulic system. The
machine had another system, an emergency one,
which could eject the landing gear. After the
departure, the plane was filled with fuel and
despite the fault, it would not be justified to fly
around over the U.S. territory for many hours
because only after fuel consumption it would be
possible to check the operation of the system
extending the landing gear and to try to land.
The captain made the decision to continue the
flight, although he could not be sure as to the
usability of the emergency system – he was
going to check the operation in Poland. Over
Warsaw, it proved that the usability of the entire
landing gear control system was evaluated
erroneously because its extension failed,
although the flaps had extended. Then the
decision to execute an emergency landing was
made. The result of the incorrect evaluation of
the situation described above was the failure of
the plane, which is a rare event in the operation
of aircrafts.
The members of the government committee
investigating the circumstance of the emergency
landing showed that the emergency system was
efficient but the crew did not use it because one
of the key fuses, which secured several
aircraft’s systems, including the emergency
landing gear extension system, was disabled. If
the fuse had been enabled, it the dramatic
landing at the Warsaw’s Okęcie would not have
happened.
6. Process of saving of a critical situation
In the considered flight, there occurred an event
involving consideration of the activating
element as usable regardless of its state and not
diagnosing it. An unaware classification of the
unsuitable device as usable without diagnosing
is the system error of the second type.
tFtT OBOBOB ,,
tFtT DDD ,,
SECURED OBJECT
Hydraulic system
ACTIVATING
ELEMENT
fuse
SECURING OBJECT
Electrical instalation
Fig. 2. Model of a relief system with a security system.
In the model representing the situation of
the emergency landing on November 1, 2011,
you can highlight the following elements (fig.
2): secured object – the landing gear extension
system, the securing object – emergency system
of landing gear extension and the activating
element.
In fig. 2, probabilistic characteristics of the
time of security task and available time were
marked.
OBT – random variable of the securing task
execution time,
tFOB – distribution function of the
random variable of the securing task execution
time,
7
EVALUATION METHODS OF AIRCRAFT FLIGHT SAFETY
,OBt – execution of the random variable –
time of flight over the airport and the search for
a solution,
DT – random variable of available time –
time of flight limited with remnants of fuel,
tFD – distribution function of the random
variable of available time,
Dt – execution of the random variable of
available time – maximum time of flight limited
with remnants of fuel,
Available time designates a reasonable
time necessary to prevent a dangerous situation.
In general, this time may be determined with,
for example, a fuel resource, a resource of an
active substance or any other type of energy
extending the system operation.
The analysis of the situation and taking
actions at available time can be described as
follows:
- receiving information about a hydraulic
system leak;
- making the decision to continue the
flight;
- initiation of the landing procedure;
- receiving information about a faulty security
system (electrical system);
- analysis of the obtained information and
search for a solution;
- making the decision about the emergency
landing on the aircraft fabric covering;
- implementation of the made decision;
- inspection of the made decision.
After receiving the information about a
defective security system (electrical system) and
inability to release the landing gear, there was
the search for solutions, which had to take place
at the available time – TD. After recognition of
the erroneous evaluation of the emergency
system, the only solution left was the use of a
different emergency protective system in the
form of the fuselage designed for this purpose.
Thanks to the pilot’s wise action, great skills
and precise action, the implementation of the
made decision of the emergency landing was
successful. This type of situation can be
described with the salvage equation (20), which
designates the probability of the danger defuse
at the available time through the convolution of
distribution functions of random variables of the
available time and execution time of the rescue
task.
0
tdFtFTTP OBDDOB (20)
The continuous variable of the available time
depends on the type of event. For example, for a
survivor at sea, it will be the time of survival
dependent on circumstances (temperature of the
water and his or her own equipment); for the
aircraft, the remained flight persistence; for the
parachutist, remaining height, etc. The
continuous variable of the execution time of an
intervention task also depends on many factors
– the type of the task, the degree of the rescue
team or system’s readiness, action efficiency.
In the cited example, making the right decision
and the precise landing proved to be the right
security action before the crash. The executions
of random variables in the considered event in
the relationship (tOB < tD) have fulfilled the
salvage condition.
The presented analysis of the diagnosis errors
and the rescue process model were presented in
a shortened version due to the limited scope of
the paper.
JAN RAJCHEL, JÓZEF ŻUREK, RYSZARD KALETA
8
References
[1] Ważyńksa-Fiok K. Niezawodność systemów
technicznych. [Reliability of technical systems].
PWN, Warszawa, 1990.
[2] [Borgoń J. Niezawodność i bezpieczeństwo systemu
pilot – statek powietrzny. [Reliability and safety of
the pilot – aircraft system]. Informator ITWL, 1987,
269/87.
[3] Skomra A., Tomaszek H. Metoda oceny
efektywności eksploatacji wojskowego statku
powietrznego. [Method of the military aircraft
operation efficiency evaluation]. ZEM, 3 1996 pp
355 – 367.
[4] Szajnar S., Tomaszek H. Durability of ejection seat
and pilot's safety of military aircraft in enemy
counteract conditions. ZEM, 1999.
[5] Szajnar S., Tomaszek H. Problems of calculate
indexes durability of ejection seat and safety of
military aircraft's crew in war conditions. ZEM.
Issue 3. 2001.
[6] Żurek J. Modelowanie systemów zabezpieczających
w urządzeniach transportowych. [Modelling of the
protective systems in transport devices], Oficyna
Wydawnicza Politechniki Warszawskiej, Prace
Naukowe, Transport, Warszawa 1998.
mailto:
Copyright Statement
The authors confirm that they, and/or their company or
organization, hold copyright on all of the original material
included in this paper. The authors also confirm that they
have obtained permission, from the copyright holder of
any third party material included in this paper, to publish
it as part of their paper. The authors confirm that they
give permission, or have obtained permission from the
copyright holder of this paper, for the publication and
distribution of this paper as part of the ICAS proceedings
or as individual off-prints from the proceedings.